Re: Possible attack?

ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) writes:


The sticky-note on the monitor, or on the bottom of the keyboard (or
mouse) had a fairly short life here - we got tagged in a government
security audit many years ago, and there was hell to pay. We _try_ to
help our users by having a regular hand-out that shows ways to create
and remember more difficult passwords - the "n'th letter of the words
of a phrase/song" seems to be tolerable, and a heck of a lot more
secure than the phone number of the bookie, pizza-joint, or what-ever.

You might want to use my program wgen which generates "words" based on a
dictionary. It takes the dictionary and calculates the occurance of the
"trigrams-- combinations of three letters, including a double init to
indicate the beginning of the word. It uses urandom to grab the next letter
based on the probability of that letter being the last letter in a set of
three as determined by teh dictionary. This produces words that are not
words but are very similar in their structure to English words. It also
puts out a "entropy" for the word (ie the number of bits of entropy for each
word based on those trigrams-- it is a rough guide.

People should grab longer words with higher bit numbers, or combine shorter
words .
Here is an example-- with max length of 10 characters

ambly [17.1833]
mainterial [24.9927]
xeno [18.3541]
rectinite [25.0441]
anneau [23.2039]
bismentram [32.0393]
beworl-air [39.8553]
gumfervivi [34.0005]
prophy [16.0704]
strusion [21.3945]
unsonnersa [30.087]
corrhaceab [26.3783]
unaceae [17.1724]
terregraem [37.0352]
letason [29.3827]
avolverra [33.715]
subhensick [30.6531]
coorsomide [37.5863]
cosis [14.3989]
airer [19.1535]


Note occasionally a real word is generated.
There is about 3 bits of entropy per letter-- some more, some less.
But "airer anneau" would have an entropy of over 40. Throw in a few
capitals or even punctuation, and you might get that up to 45 (but it is
harder than you think to "throw in random punctuation"..
(Note-- that entropy basically means that if the attacker used the same
dictionary, that is a measure of how many times he would have to try to
generate your password-- ie if the ranking is 35 it would take 2^35 = 10^10 tries.
It is also better to use longer dictionaries (I have one with 400,000
words) as it makes rarer combinations more likely. (By default it uses
/usr/share/dict/words)

If you use a text document as the dictionary, especially simple text, you are likely to get simply short
words-- since the probabilities are coumputed from the whole document,
with its repetitions of of words (a, the) biasing the results.

http:www.theory.physics.ubc.ca/wgen/wgen.c or
http:www.theory.physics.ubc.ca/wgen/wgen for the binary.

.

Quantcast